This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

BTD - PROCEXP152.SYS - Vulnerable Driver Loaded

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

BTD - PROCEXP152.SYS - Vulnerable Driver Loaded

Go to solution
Panagiss
L1 Bithead

‎06-20-2023 06:07 AM

Cortex blocked driver PROCEXP152.SYS from being loaded (rule: sync.vulnerable_driver_by_original_name_loaded_procexp)
The thing it that this is a signed microsoft driver and it's kind of a known situation for many other vendors.

Links: Process Explorer - ProcExp152.sys Driver Flagged As Vulnerable - Microsoft Q&A , SentinelOne annoyance! : r/sysadmin (reddit.com)

 

Does anyone seen this in Cortex before? What it's the best thing to do?

Thanks

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
afurze
L4 Transporter

‎06-20-2023 08:37 AM

Hi Panagiss,

 

Cortex XDR is indicating that this is a vulnerable driver, not that it is not a legitimate driver (we're not disputing that it's signed by MS).  A common tactic used by attackers is to take advantage of highly trusted binaries which are vulnerable to abuse to perform actions like killing EDR tools.  There are many examples of executables which are vulnerable to misuse, including older versions of the process explorer binary.  To prevent misuse, Cortex XDR blocks loading of vulnerable versions of this executable by default.

 

If you want to allow this driver to be loaded in your environment, you can create a Disable Prevention Rule and (optionally) an Alert Exclusion to allow the driver to be loaded and suppress associated alerts from the console.  Keep in mind that this will create a risk for your organization as attackers could exploit this driver to kill Cortex XDR on the endpoint they have gained access to.

View solution in original post

0 Likes Likes
1 REPLY 1

Go to solution
afurze
L4 Transporter

‎06-20-2023 08:37 AM

Hi Panagiss,

 

Cortex XDR is indicating that this is a vulnerable driver, not that it is not a legitimate driver (we're not disputing that it's signed by MS).  A common tactic used by attackers is to take advantage of highly trusted binaries which are vulnerable to abuse to perform actions like killing EDR tools.  There are many examples of executables which are vulnerable to misuse, including older versions of the process explorer binary.  To prevent misuse, Cortex XDR blocks loading of vulnerable versions of this executable by default.

 

If you want to allow this driver to be loaded in your environment, you can create a Disable Prevention Rule and (optionally) an Alert Exclusion to allow the driver to be loaded and suppress associated alerts from the console.  Keep in mind that this will create a risk for your organization as attackers could exploit this driver to kill Cortex XDR on the endpoint they have gained access to.

0 Likes Likes
  • 1 accepted solution
  • 7420 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks